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Abstract 

We use functional specification techiniques to describe systems and tlieir compo- 
nents. We define the notions of property refinement and interaction refinement for 
interactive systems and their components, hiteraction refinement allows changes 
to the syntactic interface (the number of channels and the sorts of messages on the 
channels) as well as the semantic interface (causality flow between messages and in- 
teraction granularity). We prove that these notions of refinement are compositional 
with respect to sequential and parallel composition, communication feedback, and 
recursive declarations of system components. These proofs demonstrate that re- 
finements of networks can be accomplished in a modular way by refining their 
components. We generalize the notions of refinement to refining contexts. Finally, 
we define full abstraction for specifications and show compositionality with respect 
to this abstraction as well. 



CONTENTS vi 

Contents 

1 Introduction 1 

2 Specification 3 

3 Composition 7 

3.1 Composition of Functions 8 

3.2 Composition of Specifications 11 

4 Refinement, Representation, Abstraction 12 

4.1 Property Refinement 12 

4.2 Interaction Refinement 13 

5 Compositionality of Interaction Refinement 21 

5.1 Sequential and Parallel Composition 21 

5.2 Feedback 23 

6 Recursively defined Specifications 28 

6.1 Semantics of Recursively Defined Specifications 28 

6.2 Refinement of Recursively Specified Components 30 

7 Predicate Transformers as Refinements 34 

8 Conclusion 41 
A Appendix: Full Abstraction 42 



1 INTRODUCTION 



1 



1 Introduction 

A distributed interactive system consists of a family of interacting components. To 
reduce complexity, they can be developed by a number of successive steps. In each 
step, the system is described in more detail and closer to an implementation level. We 
speak of levels of abstraction and of stepwise refinement in system development. 

Logical implication provides a simple concept of stepwise refinement when logical 
specifications are used to describe the behavior of system components. A system com- 
ponent specification is a refinement of another specification if it exhibits all specified 
properties and possibly more. Refinement allows the replacement of system specifica- 
tions by more refined ones exhibiting more specific properties. 

More sophisticated notions of refinement allow the refinement of a system component to 
one exhibiting quite different properties than the original one. In this case, however, we 
need a concept relating the behaviors of the refined system component to behaviors of 
the original one such that behaviors of the refined system component can be understood 
to represent behaviors of the original. The behavior of interactive system components 
is basically given by their interaction with their environment. Therefore the refinement 
of system components basically has to deal with the refinement of their interaction. We 
will introduce such a notion of interaction refinement. 

Concepts of refinement for software systems have been investigated since the early 
1970s. Data structure refinement is treated in Hoare's pioneering paper [Hoare 72]. 
These ideas were further explored and developed (see, forinstance, [Jones 86], [Broy et al. 86], 
[Sannella 88], see [Coenen et al. 91] for a survey). The idea of refining interacting 
systems has also been treated in numerous papers (see, for instance, [Lamport 83], 
[Abadi, Lamport 90], and [Back 90]). 

Typically, distributed interactive systems are composed of a number of components that 
interact, for example, by exchanging messages or by updating shared memory. Various 
forms of composition allow the construction of systems from smaller ones. Parallel 
and sequential composition, communication feedback, and recursion are basic forms 
of composition for systems. 

A method for specifying system components is called compositional (or modular) 
for a set of forms of composition if the specifications of composed systems can be 
derived from the specifications of the constituent components. We call a refinement 
concept compositional, if refinements of a composed system are obtained by giving 
refinements for the components. Traditionally, compositional notions of specification 
and refinement for concurrent systems are considered hard to obtain. For instance, the 
elegant approach of [Chandy, Misra 88] is not compositional with respect to liveness 
properties and does not provide a compositional notion of refinement. 

Note that it only makes sense to talk about compositionality with respect to a set of 
forms of composition. Forms of composition of system components define an algebra 
of systems, also called a process algebra. Not all approaches to system specifications 
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emphasize forms of composition for systems. For instance, in state machine oriented 
specifications, systems are modelled by state transitions. No particular forms of com- 
position of system components are used. As a consequence compositionality is less 
significant there. Approaches that favor describing systems using forms of composition 
are called "algebraic". A discussion of the advantages and disadvantages of algebraic 
versus nonalgebraic approaches can be found, for instance, in [Janssen et al. 91]. 

Finding compositional specification methods and compositional interaction refinement 
concepts is difficult. Compositional refinement seems especially difficult to achieve 
for programming languages with tightly coupled parallelism, such as the "rendezvous" 
concept in CCS and CSP. In tightly coupled parallelism, the actions are used directly 
for the synchronization of parallel activities. Therefore the granularity of the actions 
cannot be refined, in general, without changing the synchronization structure (see, for 
instance, [Aceto, Hennessy 911 and [Vogler91]). 

The following sections present a compositional notion of refinement where the gran- 
ularity of interaction can be refined. We use functional, purely descriptive, "nonoper- 
ational" specification techniques. The behavior of distributed systems interacting by 
communication over channels is represented by functions processing streams of mes- 
sages. Streams of messages represent communication histories on channels. System 
component specifications are predicates characterizing sets of stream processing func- 
tions. System components described that way can be composed and decomposed using 
the above mentioned forms of composition such as sequential and parallel composition 
as well as communication feedback. With these forms of composition all kinds of finite 
data processing nets can be described. Allowing in addition recursive declarations even 
infinite data processing nets can be described. 

In the following, concepts of refinement for interactive system components are defined 
that allow one to change both the number of channels of a component as well as the 
granularity of the messages sent by it. In particular, basic theorems are proved that show 
that our notion of refinement is compositional for the basic compositional forms as well 
as for recursive declarations. Accordingly for an arbitrary net of interacting components 
a refinement is schematically obtained by giving refinements for its components. The 
correctness of such a refinement follows according to the proved theorems schematically 
from the correctness proofs for the refinements of the components. 

We give examples for illustrating the compositionality of refinement. We have deliber- 
ately chosen very simple examples to keep their specifications small such that we can 
concentrate on the refinement aspects. The simplicity of these examples does not mean 
that much more complex examples cannot be treated. 

Finally we generalize our notion of refinement to refining contexts. Refining contexts 
allow refinements of components where the refined presentation of the input history 
may depend on the output history. In particular, this allows unreliable components to be 
understood as refinements of reliable components, as long as the refining context takes 
care of the unreliability. Refining contexts are represented by predicate transformers 
with special properties. We give examples for refining contexts. 
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An appendix treats full abstraction of functional specifications for these composing 
forms. 

2 Specification 

In this section we introduce the basic notions for functional system models and func- 
tional system specifications. In the following we study system components that ex- 
change messages asynchronously via channels. A stream represents a communication 
history for a channel. A stream of messages over a given message set M is a finite or 
infinite sequence of messages. We define 

=df M* U M~ 

We briefly repeat the basic concepts from the theory of streams that we shall use later. 
More comprehensive explanations can be found in [Broy 90]. 

• By we denote the result of concatenating two streams x and y. We assume 
that x'~^y = X, if X is infinite. 

• By 0 we denote the empty stream. 

• If a stream x is a prefix of a stream y, we write x Q y. The relation C is called 
prefix order. It is formally specified by 

x^y =df 3z e : x'^z = y 

• By {M'^y we denote tuples of n streams. The prefix ordering on streams as well 
as the concatenation of streams is extended to tuples of streams by elementwise 
application. 

A tuple of finite streams represents a partial communication history for a tuple of 
channels. A tuple of infinite streams represents a total communication history for a 
tuple of channels. 

The behavior of deterministic interactive systems with n input channels and m output 
channels is modeled by (n, m)-ary stream processing functions 

f : (M")" (MT 

A stream processing function determines the output history for a given communication 
history for the input channels in terms of tuples of streams. 
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Example 1 Stream processing function 

Let a set D of data elements be given and let the set of messages M be specified by: 

M = D U {?} 

Here the symbol ? is a signal representing a request. For data elements d e D a stream 
processing function 

(cd) : W" ^ W" 

is specified by 

Ve e £), X e M'" : (c.t/)(?"x) = d-^l-^ic.dXx) 
A (c.d){e'~ x) — e'"(c.e)(x) 

The function (cd) describes the behavior of a simple storage cell that can store exactly 
one data element. Initially d is stored. The behavior of the component modeled by 
(cd) can be illustrated by an example input 

d'~' d'~' d\~' di^ d2~' d2^ d^,^ di'^ dA'^ di'~' {c .di) .X 

The function {cd) is a simple example of a stream processing function where every 
input message triggers exactly one output message. 

End of example 

In the following we use some notions from domain and fixed point theory that are 
briefly listed: 

• A stream processing function is called prefix monotonic, if for all tuples of streams 
x,y € (M®)" we have 

X C y /.X C f.y 

We denote the function application /(x) by f.x to avoid brackets. 

• By LJ5 we denote a least upper bound of a set S, if it exists. 

• A set 5 is called directed, if for any pair of elements x and y inS there exists an 
upper bound of x and y in S. 

• A partially ordered set is called complete, if every directed subset has a least 
upper bound. 

• A stream processing function / is called prefix continuous, if / is prefix mono- 
tonic and for every directed set S c we have: 

f.uS = u{/.x : X e 5} 
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The set of streams as well as the set of tuples of streams are complete. For every 
directed set of streams there exists a least upper bound. 

We model the behavior of interactive system components by sets of continuous (and 
therefore by definition also monotonic) stream processing functions. Monotonicity 
models causality between input and output. Continuity models the fact that for every 
behavior the system's reaction to infinite input can be predicted from the component's 
reactions to all finite prefixes of this input'. Monotonicity takes care of the fact that in 
an interactive system output already produced cannot be changed when further input 
arrives. The empty stream is to be seen as representing the information "further com- 
munication unspecified". Note, in the example above by the preimposed monotonicity 
of the function (c.d) we conclude (c.d)(()) — (}; otherwise, we could construct a 
contradiction. 

A specification describes a set of stream processing functions that represent the behav- 
iors of the specified systems. If this set is empty, the specification is called inconsistent, 
otherwise it is called consistent. If the set contains exactly one element, then the 
specification is called determined. If this set has more then one element, then the 
specification is called underdetermined and we also speak of underspecification. As 
we shall see, an underdetermined specification may be refined into a determined one. 
An underdetermined specification can also be used to describe hardware or software 
units that are nondeterministic. An executable system is called nondeterministic, if it 
is underdetermined. Then the underspecification in the description of the behaviors 
of a nondeterministic system allows nondeterministic choices carried out during the 
execution of the system. In the descriptive modeling of interactive systems there is 
no difference in principle between underspecification und the operational notion of 
nondeterminism. In particular, it does not make any difference in such a framework, 
whether these nondeterministic choices are taken before the execution starts or step by 
step during the execution. 

The set of all (n,m)-ary prefix continuous stream processing functions is denoted by 

SPF" 

The number and sorts of input channels as well as output channels of a specification 
are called the component's syntactic interface. The behavior, represented by the set 
of functions that fulfill a specification, is called the component's semantic interface. 
The semantic interface includes in particular the granularity of the interaction and the 
causality between input and output. For simplicity we do not consider specific sort 
information for the individual channels of components in the following and just assume 
M to be a set of messages. However, all our results carry over straightforwardly to 
stream processing functions where more specific sorts are attached to the individual 
channels. 

'This does not exclude the specification of more elaborate liveness properties including fairness. Note, 
fairness is, in general, a property that has to do with "fair" choices between an infinite number of behaviors. 
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Figure 1: Graphical representation of a component Q 

A specification of a possibly underdetermined interactive system component with n 
input channels and m output channels is modeled by a predicate 

Q : SPF^ Bool 

characterizing prefix continuous stream processing functions. Q is called an (n, m)-ary 
system's specification. A graphical representation of an (n, m)-ary system component 
Q is given in Figure 1 . The set of specifications of this form is denoted by 

SPECl 

Example 2 Specification 

A component called C (for storage Cell) with just one input channel and one output 
channel is specified by the predicate C. The component C can be seen as a simple store 
that can store exactly one data element. C specifies functions / of the functionality: 

/ : ^ 

Let the sets D and M be specified as in example 1. If C receives a data element it 
sends a copy on its output channels. If it receives a request represented by the signal 
?, it repeats its last data output followed by the signal ? to indicate that this is repeated 
output. The signal ? is used this way for indicating a "read storage content request". 
The signal ? triggers the read operation. A data element in the input stream changes the 
content of the store. The message d triggers the write operation. Initially the cell carries 
an arbitrary data element. This behavior is formalized by the following specification 
forC: 

C.f = 3d e D : f ^ (c.d) 

where the auxiliary function (c.d) is specified as in example 1. Notice that the data 
element stored initially is not specified and thus component C is underdetermined. 



End of example 
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For a deterministic specification Q where for exactly one function q the predicate Q is 
fulfilled, in other words where we have 

Q f <>f^q 

we often write (by misuse of notation) simply q instead of Q. This way we identify 
determined specifications and their behaviors. 

By e SPFI^ we denote the identity function; that is we assume 

Vx e (M")'" : I,„.x = X 

We shall drop the index m for /„, whenever it can be avoided without confusion. 

By e SPF^ we denote the function that produces for every input just the empty 
stream as output on all its output channels; that is we define 

Vx e (M")" : Q!l.x = ()"' 

Similarly we write t"' for the unique function 'mSPpQ-, in other words the function 
with m input channels, but with no output channels. 

By e SPEC^ we denote the logically weakest specification, which is the specifi- 
cation that is fulfilled by all stream processing functions. It is defined by 

V/ e : L« ./ 

n n 

By T we denote the function that produces two copies of its input. We have Te SP 
and 

e (M")" :T .x = {x, x) 

nm 

By x e SPFll^^ we denote the function that permutes its input streams as follows ( 
letx e (M«)«,)' e (M'")'" ): 

nm 

X (x, y) = (y, x) 

n 

Again we shall drop the index n as well as w in LJJ,, t" and T whenever it can be 
avoided without corrfusion. 



3 Composition 

In this section we introduce the basic forms of composition namely sequential compo- 
sition, parallel composition and feedback. These compositional forms are introduced 
for functions first and then extended to component specifications. 
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3.1 Composition of Functions 

Given functions 

f eSPF,",geSPFl^ 

we write 

for the sequential composition of the functions / and g which yields a function in 
SPF^ where 

(/; g).x = gifix)) 

Given functions 
we write 

f\\8 

for the parallel composition of the functions / and g which yields a function in 
5PF;i+^^2 where (letx e (M'")"', y e (M'")"^); 

(/ll^).(x,)') = (/.x,g.>') 

We assume that " ; " has higher precedence than "||". Given a function 

/ e SPF^+'" 

we write 

for the feedback of the output streams of function / to its input channels which yields 
a function in SPF^ where 

W).x = fix.k y : f{x, y) 

Here fix denotes the fixed point operator associating with any monotonic function / 
its least fixed point fix.f. Thus y — inf).x means that y is the least solution (with 
respect to the prefix ordering) of the equation y — f{x, y). We assume that "fi" has 
higher precedence than the binary operators ";" and "H". A graphical representation 
for feedback is given in Figure 2. 

We obtain a number of useful rules by the fixed point definition of jxf. As a simple 
consequence of the fixed point characterization, we get the unfold rules: 

/./ = T;(/||m/);/ 

At/ = T;At((/||/);/) 
A graphical representation of the unfold rules for feedback is given in Figure 3. 
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Figure 2: Graphical representation of feedback 




Figure 3: Graphical representation of the unfold rules for feedback 
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Figure 4: Graphical representation of semiuirfold 

A useful rule for feedback is semiunfold that allows one to move components outside 
or inside the feedback loop (let ^ e 

g) ^ mWs); f); g 

A graphical representation for semiunfold is given in Figure 4. 

For reasoning about feedback loops and fixed points the following special case of 
semiunfold is often useful: 

fix.X y : tn'" f{x, y) — m'" fix.X y : f{x, m'~'y) 

The rule is an instance of semiunfold with g = X y : m^y. The correctness of this rule 
can also be seen by the following argument: if y is the least fixed point of 

X y : m'^fix, y) 

and y is the least fixed point of 

X y : fix, y) 

then y — m'~ y and thus 

y - m'^X y : f{x, m^y) 
Semiuirfold is a powerful rule when reasoning about results of feedback loops. 
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3.2 Composition of Specifications 

We want to compose specifications of components to networks. Each form of com- 
position introduced for functions can be extended to component specifications in a 
straightforward way. Given component specifications 



we write 



Q&SPECl,R&SPECl 



for the predicate in SPEC^ where 

(2; R).f <^Jq,r: Q.q A R.r A f ^ q; r 
Trivially we have for all specifications Q e SPEC^ the following equations: 

Q;i = Q 
i;Q=Q 

Given specifications 

QeSPEC^J^ReSPEC^, 

we write 

for the predicate in SPEC^^^^^ where 

iQ\\R).f <>3q,r: Q.q A R.r A f ^ q\\r 

Given specification 

Q e SPEC"+"' 

we write 

for the predicate in SPEC^ where 

il^Q).f03q: Q.qAf = iiq 
For feedback over underdetermined specifications we get the following rules^: 

iiQ^T-{I\\iiQ)\ Q 



^For determined system specifications Q we get the stronger rules /xg = T"; (^IIm2); 2 and 
/iQ = T; /x((/|| 2); 2) which do not hold for underdetermined systems, in general. The erroneous as- 
sumption that these rules are vahd also for underdetermined systems is the source for the merge anomaly 
(see [Brock, Ackermann 81]). 
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liQ^r;iiiiI\\Qy, Q) 

A useful rule for feedback is fusion that allows one to move components that are 
not affected by the feedback outside or inside the feedback operator application. Let 
R e SPEC^: 

R; liQ ^ li{{R\\I)- Q) 
M((eiir); (/P)) = M(0; HWR) 

With the help of the basic functions and the forms of composition introduced so far we 
can represent all kinds of finite networks of systems (data flow nets)^. Our composing 
forms lead to an algebra of system descriptions. 

4 Refinement, Representation, Abstraction 

In this section we introduce concepts of refinement for system components both with 
respect to the properties of their behaviors as well as with respect to their syntactic 
interface and granularity of interaction. 

We start by defining a straightforward notion of property refinement for system com- 
ponent specifications. Then we introduce a notion of refinement for communication 
histories. Based on this notion we define the concept of interaction refinement for inter- 
active components. This notion allows refining a component by changing the number 
of input and output channels as well as the granularity of the exchanged messages. 

4.1 Property Refinement 

Specifications are predicates characterizing functions. This leads to a simple notion of 
refinement of component specifications by adding logical properties. 
Given specifications 

e, e e SPECl 

Q is called a (property) refinement of Q 
if for all / e SPF^ : 

Q.f^Q.f 

Then we write 

Q^Q 

If 2 is a property refinement for Q, then Q has all the properties Q has and may be 
some more. Every behavior that Q shows is also a possible behavior of Q. 

^Of course, our combinatorial style for defining networks is not always very useful, in practice, since 
the combinatorial formulas are hard to read. However, we prefer throughout this report to work with these 
combinatorial formulas, since this puts emphasis on the compositional forms and the structure of composition. 
For practical purposes a notation with named channels is often more adequate. 
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All considered composing forms are monotonic for the refinement relation as indicated 
by the following theorem. 

Theorem 1 (Compositionality of Refinement) 

(Gi ^ Qi) A (22 ^ Qi) ^ (gi ; Qi ^ Qi\ Qi) 

(Qi ^ Gi) A (22 ^ Qi) ^ (21 II 22 ^ 2i II Qi) 
(2^2)^ (m2 ^ m2) 

Proof: Straightforward, since all operators for specifications are defined pointwise on 
the sets of functions that are specified. 

□ 

A simple example of a property refinement is obtained for the component C as described 
in Example 2 on page 8 if we add properties about the data element initially stored in 
the cell. A property refinement does not allow one to change the syntactic interface of 
a component, however. 

4.2 Interaction Refinement 

Recall from section 2 that streams model communication histories on channels. In 
more sophisticated development steps for a component the number of channels and 
the sorts of messages on channels are changed. Such steps do not represent property 
refinements. Therefore we introduce a more general notion of refinement. To be able to 
do this we study concepts of representation of cormnunication histories on n channels 
modeled by a tuple of n streams by conomunication histories on m channels modeled 
by a tuple of m streams. 

Tuples of streams y e (M^)'" can be seen as representations of tuples of streams 
X e (M")", if we introduce a mapping p e SPF^ that associates with every x its 
representation, p is called a representation function. If p is injective then it is called a 
definite representation function. Note, a mapping p is injective, if and only if: 

Vx, X : p.x = pix =^ X =x 

If a specification R e SPEC^ is used for the specification of a set of representation 
functions, R is called a representation specification. 

Example 3 Representation Specification 

We give a representation specification R that allows streams of data elements and 
requests to be represented by two separate streams, one of which carries the requests 
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and the other of which carries the data elements. The representation functions are 
mappings p of the following functionality: 

p : -> {?, Vl" X (/) U (V))" 

Here ^ is used as a separator signal. It can be understood as a time tick that separates 
messages. Given streams x and y let [x, y] denote a pair of streams and [x, y]'~^[x, y] 
the elementwise concatenation of pairs of streams, in other words: 

[x, y]'^[x, y] = [x'~^x, y'^^y] 
Let Ticks be defined by the set of pairs of streams of ticks that have equal length: 

Ticks = {[^ , ^/^]•.k€ N] 

We specify the representation specification R explicitly as follows: 

R.p = W e D,x e M'^ : 3f e Ticks : p(?"x) = ()]"p.x 

A 3t G Ticks : pid^x) = J"~^]'"p.x 

Note, by the monotonicity of the specified functions: 

R.p =>■ 3? e Ticks : p.() = t 

The computation of a representation is illustrated by the following example: 

[ 7'-?'- V'-?'- V'-?'- ^ 

dr^- d2-J- d^-JTp{x) 

The example demonstrates how the time ticks are used to indicate in the streams p(x) 
the order of the requests relatively to the data messages in the original stream x. 

End of example 

The elements in the images of the functions p with R.p are called representations. 

Definition 1 (Definite representation specification) A representation specification 
R is called definite, (/ 

Vx, X, p,~p : R.p A R.~p A p.x = ~p.x =^ X =x 

In other words R is definite, if different streams x are always differently represented. 

Obviously, if /? is a definite representation specification, then all functions p with R.p 
are definite. For definite representation specifications for elements x and x with x ^x 
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the sets of representation elements [p.x : R.p} and {p.x : R.p) are disjoint. Note, the 
representation specification given in the example above is definite. 

For every injective function, and thus for every definite representation function p, there 
exists a function a & SPF" such that: 

p;a = l 

The function a is an inverse to p on the image of p. The function a is called an 
abstraction for p. Notice that a is not uniquely determined if p is not surjective. In 
other words, the elements in (M")'" are not all used as representations of elements in 
(M®)" there may be several functions a with A.a, as defined below. 

The concept of abstractions for definite representation functions can be extended to 
definite representation specifications. 

Definition 2 (Abstraction function) Let R e SPEC^ be a definite representation 
specification; a function a G SPF^^ with 

R;a = I 

is called an abstraction function for R. 

The existence of abstractions follows from the definition of definite representation 
specification. Again for definite representation specifications the abstraction functions 
a are uniquely determined only on the image of R, that is on the union of the images 
of functions p with R.p. 

Definition 3 (Abstraction for a definite representation specification) Let A e SPEC^ 

be the specification with 

A.a <^ R;a = I 
Then A is called the abstraction for R. 

For consistent definite representation specifications R with abstraction A we have 

R;A = I 

If p; A — I ^ R.p then R contains all possible choices of representation functions for 
the abstraction A. 

Example 4 Abstraction 

For the representation specification R described in example 3 the abstraction functions 
a are mappings of the functionality: 

a : {?, Vr X (D U {V})" ^ M'' 
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The specification of A reads as follows. 

A.a =WdGD,xG {?, Vr, y&{DU (Vir : 

a(?^x, y) — l'~^a(x, y) 
A a{^"x,^" y) —a{x,y) 
A a(^'"x, d^-^^y) = d^a{x, y) 

It is a straightforward rewriting proof that indeed: 

R-A = I 

The specification A shows a considerable amount of underspecification, since not all 
pairs of streams in {?, ^}'" x (DU {^/})'" are used as representations. 

End of example 

Parallel and sequential composition of definite representations leads to definite repre- 
sentations again. 

Theorem 2 Let /?, e SPEC^. be definite representation specifications for i = I, 2; 
then 

RiWRi 
Ri ; 7?2 

(assuming mi = n2 in the second formula) are definite representation specifications. 

Proof: Sequential and parallel composition of injective functions leads to injective 
functions. 

□ 

Trivially we can obtain the abstractions of the composed representations by composing 

the abstractions. 

For many applications, representation specifications are neither required to be deter- 
mined nor even definite. For an indefinite representation specification sets of representa- 
tion elements for different elements are not necessarily disjoint. Certain representation 
elements y do occur in several sets of representations for elements. They ambiguously 
stand for ("represent") different elements. Such an element may represent the streams 
X as well as x, if p.x — p-x for functions p and p with R.p and R.J). For indefinite 
representation specifications the represented elements are not uniquely determined by 
the representation elements. A representation element y stands for the set 

{x : 3p : R.p A p.x = y} 

For a definite representation specification R this set contains exactly one element while 
for an indefinite representation specification R this set may contain more than one 
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element. In the latter case, of course, abstraction functions a with R;a — I do not 
exist. 

However, even for certain indefinite representations we can introduce the concept of 
an abstraction. 

Defuiition 4 (Uniform representation specifications) A 

consistent specification R e SPEC^ is caZZed a uniform representation specification, 
if there exists a specification A e SPEC^ such that for all p: 

R.p ^ R; A; p — p 

The specification A is called again the abstraction /or R. 

The formula expresses that (R; A) is a left-neutral element for every representation 
function in R. Essentially the existence of an abstraction expresses the following 
property of R: if for different elements x and x the same representations are possible, 
then every representation function maps these elements onto equal representations. 
More formally stated, if there exist functions p and p with R.p and R.p such that 

p.x = p.x 

then for all functions p with R.p: 

p.x = p.x 

Thus if elements are identified by some representation functions, this identification is 
present in all representation functions. The same amount of information is "forgotten" 
by all the representations. The representation functions then are indefinite in a uniform 
way. Definite representations are always uniform. 

A function is injective, if for all x and x we have: 

p.x = p.x =>• X = X 

A function that is not injective p defines a nontrivial partition on its domain. A 
representation specification is uniform if and only if all functions p with R.p define the 
same partition. 

For a uniform representation specification R with abstraction A the product {R; A) 
reflects the underspecification in the choices of the representations provided by R. 
If for a function y with (R; A).y we have x = y.x, then x and x have the same 
representations. 

Definition 5 (Adequate representation) A uniform representation specification R with 
abstraction A is called adequate for a specification Q, if: 



Q;R;A^Q 
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Figure 5: Commuting diagram of interaction refinement 

Adequacy means that the underspecification in (R; A) does not introduce more under- 
specification into Q; R; A than was already present in Q. Note, definite representations 
are adequate for all specifications Q. 

Definition 6 (Interaction refinement) Given representations R e SPEC\, R e SPEC^ 
and specifications Q e SPEC\, Q e SPEC^ we say that Q w an interaction refine- 
ment of Qfor the representation specifications R and R, if 

R\Q^Q\R 

This definition indicates that we can replace via an interaction refinement a system 
of the form Q; 7? by a refined system of the form R\ Q. We may think about the 
relationship between Q and Q as follows: the specification Q specifies a component 
on a more abstract level while Q gives a specification for the component at a more 
concrete level. Instead of computing at the abstract level with Q and then translating 
the output via R onto the output representation level, we may translate the input by R 
onto the input representation level and compute with Q . We obtain one of these famous 
commuting diagrams as shown in Figure 5. 

Definition 7 (Adequate interaction refinement) The interaction refinement of Qfor 
the representation specifications R and R is called adequate /or a specification Q, ifR 
is adequate for Q. 

For adequate interaction refinements using uniform representation specifications R with 
abstraction A e SPECf", we obtain 



R;Q;A^Q 
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Figure 6: Commuting diagram of interaction refinement 

since from the interaction refinement property we get 

R \Q \A=^ Q ; R ; A 

and by the adequacy of R for Q 

Q;R;A^Q 

which shows that R; 2; A is a (property) refinement of Q. A graphical illustration of 

adequate interaction refinement is shown in Figure 6. 

The following table summarizes the most important definitions so far. 



Table of delinitions 


Q property refinement of Q 


Q.f^Q.f 


R consistent, definite with abstr. A 


R;A = I 


R uniform with abstraction A 


R.p ^ R; A; p — p 


R adequate for Q with abs. A 




Inter, refinement Qof Qfor R, R 


R;Q^Q;R 


Adequate inter, refinement 


R uniform and adequate for Q 
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The notion of interaction refinement allows one to change both the syntactic and the 
semantic interface. The syntactic interface is determined by the number and sorts 
of channels; the semantic interface is determined by the behavior of the component 
represented by the causality between input and output and by the granularity of the 
interaction. 



Example 5 Interaction Refinement 

We refine the component C as given in Example 2 into a component C that has instead 
of one input and one output channel two input and two output channels. The refinement 
C uses one of its channels carrying the signal ? as a read channel and one of its channels 
carrying data as a write channel. Let R and A be given as specified in the examples 
above 

We specify the interaction refinement C of C explicitly. C specifies functions of 
functionality: 

/ : {?, vr X (z) u y}r ^ {?, vr x (d u w}r 

We specify: 

C.f ^3d€D: f =h.d 
where the auxiliary function h is specified by: 

h:D^ ({?, V}" X (D U {^}r ^ {?, Vr X (£> U {V})'") 
W,e€D,x€ {?, Vr, y e (£> U {V})" : 

A ih.d)i^'^x,^- y) ^[^,^]-(h.d)ix,y) 
A {h.eW^x, (/"V-y) = [V, d'^A'^{h.d){x, y) 

It is a straightforward proof to show: 

R;C^C;R 

Assume p with R.p and h such that there exist / and d with C. f and / — h.d; we 
prove by induction on the length of the stream x that there exist p with R.p and c.d as 
specified in example 1 such that: 

{h.d).p.x = p.ic.d).x 

For X = 0 we obtain: there exists t e Ticks such that: 

{h.d).p.x = 
(h.d).t = 
t = 
p.x = 
p.{c.d).x 
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Now assume the hypothesis holds forx; there exists t e Ticks: 

{h.d).p(l-x) = 

{h.d){r[i, ()rp.x) = 

f"[^^"?, d-^r(h.d).p.x = 
p{d'~^{c.d).x) = 
p{c.d){l-x) 

There exists / e Ticks: 

{h.e).p{d'~ x) — 
(/z.e)(f'^K d-^-^rp.x) = 
r[^, d-^^r{h.d).p.x = 
p{d'^ (c.d).x) = 
p{c.e){d'~ x) 

This concludes the proof for finite streams x. By the continuity of h and p the proof is 
extended to infinite x. 

End of example 

Continuing with the system development after an adequate interaction refinement of a 
component we may decide to leave R and A unchanged and carry on by just further 
refining Q. 

5 Compositionality of Interaction Refinement 

Large nets of interacting components can be constructed by our forms of composition. 
When refining such large nets it is decisive for keeping the work manageable that inter- 
action refinements of the components lead to interaction refinements of the composed 
system. 

In the following we prove that interaction refinement is indeed compositional for 
sequential and parallel composition and for communication feedback. 

5.1 Sequential and Parallel Composition 

For systems composed by sequential compositions, refinements can be constructed by 
refining their components. 

Theorem 3 (Compositionality of refinement, seq. composition) Assume Qi is an 
interaction refinement of Qi for the representations and Ri for i — 1,2, then 
Qi, Qi is an interaction refinement of Qi; Q2 for the representations Rq and R2. 
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Proof: A straightforward derivation shows the theorem; 

Rq; Q\; Qi ^ {monotonicity of Q\ interaction refinement of Q\\ 
Q\\R\\ Qi =r- {monotonicity of Qi interaction refinement of Qi} 

□ 

Example 6 Compositionality of Refinement for Sequential Composition 

Let C and C be specified as in the example above. Of course, we may compose C as 
well as C sequentially. We define the components CC and CC by: 

CC =df C\ c 

CC —df C', c 

Note, CC is a cell that repeats its last input twice on a signal ?. It is a straightforward 
application of our theorem of the compositionality of refinement that CC is a refinement 
of CC: ^ 

R; CC =^ CC; R 

Of course, since R, A = I we also have that R; CC; A is a property refinement of CC. 

End of example 

Refinement is compositional for parallel composition, too. 

Theorem 4 (Compositionality of refinement for parallel composition) Assutne Qi is 
an interaction refinement of Qi for the representations Ri and Ri for i — 1,2 then 
QiWQi is an interaction refinement of QiWQi for the representations Ri\\R2 and 

Proof: A straightforward derivation shows the theorem: 

{R\ II R2)\ ( Q\ II Qi) — {rule for sequential and parallel composition} 
(^1; 2011(^2; 62) ^ { 2, interaction refinement for g, } 
( 2i ; ^1 ) IK G2 ; ^2) = {rule for sequential and parallel composition} 
(21 1122); (^111^2) 

□ 

For sequential and parallel composition compositionality of refinement is quite straight- 
forward. This can be seen from the simplicity of the proofs. 
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5.2 Feedback 

For the feedback operator, refinement is not immediately compositional. We do not 
obtain, in general, that 2 is an interaction refinement of fiQ for the representations 
R and R provided Q is an interaction refinement of Q for the representations R\\R and 
R. This is true, however, if / =j> (A; R) (see below). The reason is as follows. In 
the feedback loops of 2 we cannot be sure that only representations of streams (i.e. 
streams in the images of some of the functions characterized by R) occur. Therefore, 
we have to give a slightly more complicated scheme of refinement for feedback. 

Theorem 5 (Compositionality of refinement, feedback) Assume Q is an interaction 

refinement of Q for the representation specifications R\\R and R where R is uniform; 
then /i((/|| A; R)\ Q) is an interaction refinement of jjiQforthe representations R and 
R. 

Proof: We prove: 

(R; M((/||A; R); Q)).f ^ ((/xQ); R).f 

From 

(/?; ,Ji{{I\\A;R); Q)).f 

we conclude that there exist functions p, 'q, p, and a such that R.p, Q.q^, R.p, and A.a 
and furthermore 

f = p; tii{I\\a;py,q) 

Since Q is an interaction refinement of Q for the representations R\\R and R for 
functions p with R.p and p with R.J) and q with Q.q there exist functions q and p 
such that Q.q and R.p hold and furthermore 

(p||p);?= P 

Given x, by the continuity of p, 'q, p, and a, we may define /i((/||a; p); q).p.x by uyj 
where 

?o = O'' 
5^+1 =q{p.x,p.a:yi) 
Moreover, because of the continuity of we may define p.{iiq).x by p. u y, where 

ji+i - q{x, yt) 

We prove: 

p. u Ji = Uji 
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by computational induction. We prove by induction on ; the following proposition: 

7i E P-yi E 5^+1 

If J = 0, we have: 

5^0 Q (5^0 is the least element} 

p.yo C {jQ is the least element} 

p.q(x, yo) — {refinement property} 

'qip.x, p.yo) E {yo is the least element} 
'qip .X , p.a.yo) = {definition of ^\ ] 

yi 

Assume now the proposition holds for i; then we obtain: 

5^+1 — {definition of 5^+1 } 

q(p .x,p.a.^i) c {induction hypothesis} 

'qip.x, p.a.p.yt) = {uniformity of R] 

q'ip.x, p. yd — {refinement property} 

p.qix, yi) = {definition of yt+i ] 
P-yi+i 

Furthermore we get: 

p.yi+i = {definition of yt+i ] 

p.q(x,yi)= {refinement property} 

q'ip.x, p->'i) — {uniformity of R } 

q{p.x,p.a.p.yi) c {induction hypothesis} 

q'ip.x, p.a.^i+i) — {definition of 3^+2} 

yi+2 

From this we conclude by the continuity of p that: 

Wyi =p.U yi 

and thus 

p);q)).p.x = p.fiiq).x 

and finally 

if^{Q);R).{p;f^i{I\\a;p);q)) 



□ 



Assuming an adequate refinement allows us to obtain immediately the following corol- 
lary. 
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Theorem 6 (Compositionality of adequate refinement, feedback) Assume Q is an 
adequate interaction refinement of Qfor the representations R \\ R and R with abstrac- 
tion A then n{Q; A; R) is an interaction refinement of nQ for the representations R 
and R. 

Proof: Let all the definitions be as in the proof of the previous theorem. Since the 
interaction refinement is assumed to be adequate there exists a function q with Q.q 
such that 

q;p;a;p = q;p 

Carrying out the proof of the previous theorem with q instead of q and p instead of p 
we get: 

ix{{l\\a;py,q) = Uiq)\p 
By straightforward computational induction we may prove 

a;p)= M((/||a; p); q) 

This concludes the proof. 

□ 

Assuming that A ; R contains the identity as a refinement we can simplify the refinement 
of feedback loops. 

Theorem 7 Assume Q is an interaction refinement of Q for the representations R\\R 
and R with abstraction A and assume furthermore 

I ^A;~R 

then jxQ is an interaction refinement of fi Qfor the representations R and R. 
Proof: Straightforward deduction shows: 

R\fMQ^__ 

R; iii(I\\A; R); Q) ^ 

□ 

Note, even if I is not a refinement of A; R, in other words even if I =^ A, R does not 
hold, other refinements of A; R may be used to simplify and refine the term A; R in 
A; R); Q). By the fusion rule for feedback as introduced in section 3 we obtain: 

R;tJi(Q; A-R)=tJi{{R\\I)- Q; A;R) 

This may allow further refinements for Q\ A; R. 
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Example 7 Compositionality of Refinement for Feedback 

Let us introduce the component F with two input channels and one output channel. It 
specifies functions of the following functionality: 

f : W" ^ W" ^ W" 

F is specified as follows: 

F.f ^ Vx, y e : e D : f{x, y) = gix, d^y) 

where the auxiliary function g is specified by 

g : M'" ^ M"' ^ M"" 

where Vd, e e D,m e M,x,y e : 

g{x,d'~l'^y) =g{x,d'~y) 
A g{T^x, d-^y) = d-T-^gix, y) 
A gid'^x, e^y) = d'^gix, y) 

It is a straightforward proof that for the specification C as defined in Example 1 : 

AiF = C 

We carry out this proof by induction on the length of the input streams x. We show that 
IJ,f fulfills the defining equations for functions c.d in the definition of C in Example 2. 
Let / be a function with F.f and ^ be a function as specified above in the definition of 
F. We have to consider just two cases: by the definition of / there exists g as defined 
above such that: there exists d: 

HifW^x) = 
fix.X y : gPr x, d-^y) = 
fix.X y : d'~T~g(x, d'^y) = 
d-1- fix.X y : gix, d-1-y) = 
d'^7^ fix.X y : g{x, d'^y) 

H(f).(e^x) = 
fix.X y : g(e^x, d^y) = 
fix.X y : e'^gix, y) = 
fix.X y : g{x, e^y) 

Induction on the length of x and the continuity of the function g conclude the proof. 

The refinement F of F according to the representation specification R from example 3 
specifies functions of the functionality: 

/ : {?, vr X (D u y}r X {?, vr x (d u y}r ^ {?, vr x (d u y}r 



5 COMPOSITIONALITY OF INTERACTION REFINEMENT 



27 



It reads as follows: 

F.f — Vx, X, y,y : Id e D : f {x, x,y,y) — 'g{x, x,^'~' y, d'~^^'~^'y) 
where the auxiliary function g is specified by 

g : {?, vr X (D u {V})" X {?, vr X (D u {V})" ^ {?, vr x (d u {V})" 

VJ, e€D,x,y€ {?, Vl". x, ^ e (D U {V})" : 

f(x,x,T~'y,y) =J(x,xy"y, y) 

A H?"-*^' x,-^'^ y, d'~^'~y) — [^"7, d'~^]'~'g{x, x,^" y,^"" >0 

A 'g{^^x, d'~'^'~'x,^'~' y, = \^ , <i"^]"J'(x, x, y, )0 

A 'g{~J^x,~J^ X, y, 5) = ]"i~(x, X, y, y) 

A ^(x.xy^yy^y) =^(x,x, y, y) 

We have (again, this can be proved by a straightforward rewrite proof): 

{R\\Ry,F = F;R 

Moreover, we have according to Theorem 5: 

/?;m((/||A; R); F) ^ ifiF); R 

and therefore 

/?;M(7||A; R); F) ^ C; R 

Note, the refinement is definite and therefore adequate for F. Therefore we may replace 
M((/||A; Ry,F)hyiiiF; A; R). 

The component Ijl{F; A; R) can be further refined by refining A; R. Let us, therefore, 
look for a simplification for A; R. We do not have 

I ^ A; R 

since by the monotonicity of all a with A. a we have: 

«((),^^^(» = (> 

(otherwise we obtain a contradiction, since by monotonicity the first elements of 
a(x, d'~'y) have to coincide for all x and y). Therefore for all p with R.p: 

3f e nc/ts : p.a({), (/"()) = f"[(), (}] 

This indicates that there are no functions p and a with R.p and A.a such that p .a.x = x 
is valid for all x. We therefore cannot simply refine A; R into /. 

We continue the refinement by refining p. We take into account properties of F. A 
simple rewriting proof shows: 

iR\\iy,F^iR\\iy,F;A;R 
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Summarizing our refinements we obtain: 

R ; fiF^ 
n((R\\iy,F))^ 

F; A; R)) ^ 

R; ii{F\ A; R)) ^ 
R;n(iI\\A; R); F) 

This concludes our example of refinement for feedback. 

End of example 

Recall that every finite network can be represented by an expression that is built by our 
forms of composition. The theorems show that a network can be refined by defining 
representation specifications for the channels and by refining all its components. This 
provides a modular method of refinement for networks. 

6 Recursively defined Specifications 

Often the behavior of interactive components is specified by recursion. Given a function 

T : SPECl SPECl 

a recursive declaration of a component specification Q is given by a declaration based 
on t: 

letrec Q.f = x[G\.f 

Recursive specifications are restricted in the following to functions x that exhibit certain 
properties. 

6.1 Semantics of Recursively Defined Specifications 

A function r where 

is monotonic with respect to implication, if: 

(Q ^ Q) ^ (r[Q] ^ rlQ]) 

A set {Qi : i e IN] of specifications is called a chain, if for all i € IN and for all 
functions / e SPF^ : 

Qi+iif) ^ Qiif) 
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A function r is continuous with respect to implication, if for every chain { Qi : i e IN} 
and all for functions f &SPF^: 

r[e]./ = Vje W:T[a]./ where Q.f ^^i € IN : Qdf) 
Note, the set of all specifications forms a complete lattice. 

Definition 8 (Predicate transformer) A predicate transformer is a function 

T : SPEC"„ SPEC{ 
that is monotonic and continuous with respect to implication ( refinement). 

Note, if T is defined by t[X] = Net{X) where Net{X) is a finite network composed 
of basic component specifications by our forms of composition, then t is a predicate 
transformer. 

A recursive declaration of a component specification Q is given by a defining equation 
(often called the fixed point equation) based on a predicate transformer t: 

letrec Q = t[Q] 

A predicate Q is called a fixed point of r if: 

Q = r[Q] 

In general, for a function t there exist several predicates Q that are fixed points of r . 
In fixed point theory a partial order on the domain of r is established such that every 
monotonic function t has a least fixed point. This fixed point is associated with the 
identifier / by a recursive declaration of the form f — r.f. For defining the semantics 
of programming languages the choice of the ordering, which determines the notion of 
the least fixed point, has to take into account operational considerations. There the 
ordering used in the fixed point construction has to reflect the stepwise approximation 
of a result by the execution. For specifications such operational constraints are less 
significant. 

Therefore we choose a very liberal interpretation for recursive declarations of specifi- 
cations in the following. For doing so we define the concept of an upper closure of a 
specification. The upper closure is again a predicate transformer: 

It is defined by the following equation: 

S[G]./ = 3^: Q.gAg^f 

Notice that S is a classical closure operator, since it has the following characteristic 
properties: 

HQ ^ 0 ^ ^ s[e]) 
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Hiei = H[Hieii 

A predicate Q is called upward closed, if Q — SIQ]. Note, by S the least element S2 
is mapped onto the specification L that is fulfilled by every function, that is S[J2] = L. 
From a methodological point of view it is sufficient to restrict our attention to specifica- 
tions that are upward closed"*. This methodological consideration and the considerable 
simplification of the formal interpretation of recursive declarations are the reasons for 
considering only upward closed solutions of recursive equations. 

A predicate transformer r is called upward closed, if for all predicates Q we have: 

nQ] = s[T[e]] 

By the recursive declaration 

letrec Q = t[Q] 
we associate with Q the predicate that fulfills the following equation: 

Q.f = yi elN -.Qi.f 

where the predicates Qi are specified by: 

Go =L 
Qi+i = S[r[a]] 

According to this definition we associate with a recursive declaration the logically 
weakest^ predicate Q such that 

e= 3[r[e]] 
The predicate Q is then denoted by fix.r. 

6.2 Refinement of Recursively Specified Components 

A uniform representation specification R with abstraction A is called adequate for the 
predicate transformer r, if for all predicates X: 

(X; R;A^X)^ (t[X]; R; A ^ r[X]) 

''Taking the upper closure for a specification may change its safety properties. However, only safety 
properties for those behaviors may be changed where the further output, independent of further input, is 
empty. A system with such a behavior does not produce a specific message on an output channel, even, if we 
increase the streams of the messages on the input channels. Then what output is produced on that channel 

obviously is not relevant at all. 

'True is considered weaker than false. 
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Adequacy implies that specifications for which R is adequate are mapped by r onto 
specifications by for which R is adequate again. 

Uniform interaction refinement is compositional for recursive definitions based on pred- 
icate transformers for which the refinement is adequate. Again definite representations 
are always adequate. 



Theorem 8 (Compositionality of refinement for recursion) Let representation spec- 
ifications R and R be given, where R is uniform with abstraction A and adequate for 
the predicate transformer 

X : SPEC1 SPEC1 

For a predicate transformer 

t -.SPECl^ SPECl 

where 

R;L=^L;R 

and for all predicates X, X: 

(R; X^ X;R)^ (R; t[X] =^ t[X]; R) 

we have 

R; fix.k X : t[X; A; R] =^ fix.r; R 



Proof: Without loss of generality assume that the predicate transformers t and r' are 
upward closed. Define 

Go =L 
Qi+i = r[Qi] 
Go =L 
Qi+i^r[Qi-A-R] 

We prove: 

Qr,R ;A^ Qi 

This proposition is obtained by a straightforward induction proof on i. For j = 0 we 
have to show: 

L\~R\J.=^L 

which is trivially true, since L holds for all functions. The induction step reads as 
follows: from 

Qi ;R;A^ Qi 
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we conclude by the adequacy of r : 

Qi+i; R; A — {definition of 

^[Qi]; R; A ^ {adequacy of r and induction hypothesis} 
^ [ 2i ] = {definition of } 

Qi+i 

We prove by induction on i: 

R; Qi ^Qi\R 

For i = 0, we have to prove: 

/?; L =^ L; ^ 

This is part of our premises. Now assume the induction hypothesis holds for i ; trivially 

R ; Qi -A -R^R ; Qr,A ;R 

Therefore, with X = R; Qi , A and X = Qi , A; R by our premise we have: 

R;T[Qi;A;R]^T[R; Qi;A];R 

By the induction hypothesis and by the fact Qi; /?; A =>^ Q, we obtain/?; Qi, A^ Qi 
as can be seen by the derivation 

Qi;R;A =^ 
Qi 

We obtain: 

R; Qi+i =^ _ {definition of Qi+i} ^ _ ^ ^ 

R;T[Qi; A; R] ^ {premise for t, Twith X = R; Qi, A,X = Qi; A; R } 
r[R; Qi; A]; R ^ {uniformity of R, see above} 
T [ 2; ] {definition of Qi+i} 

Qi+i;R 

□ 

Note, for definite representations R the premise 

R;h^UR 

is always valid as the following straightforward derivation shows: 

R;L=^ {definition of L} 

R; A;UR^ {since R; A = 1} 
1l;R 

We immediately obtain the following theorem as corollary. It can be useful for simpli- 
fying the refinement of recursion. 
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Theorem 9 Given the premisses of the theorem above and in addition 
we have 

R; fix/c=^ fix.r; R 

Proof: The theorem is proved by a straightforward deduction: 

R;fix.'T=^ {premise} 
R; fix.X X : f[X; A; R] =^ {theorem 8} 
fix.r; R 

□ 

Note, even if / is not a refinement of A; R, that is even if / =>■ A; /? does not hold, 
other refinements of A; 7? may be used to simplify the term A; 7? in the specification. 

fix.X X : t[X; A; R] 
Example 8 Compositionality of Refinement for Recursion 

Of course, instead of giving a feedback loop as in example 7 above we may also define 
an infinite network recursively by*: 

letrec Q = t[Q] 

where 

r[X] = T; {I\\Xy,F 

Again we obtain (as a straightforward proof along the lines of the proof above for 
piF = C shows): 

Q = C 

It is also a straightforward proof to show that 

(/?; X^X\R)^ (R; t[X] =^ t[X]; R) 

where 

T[X] = T; UWiX; A; R)); F 

Therefore we have 

R; Q= Q;R 

where 

letrec Q = t[Q] 

by our compositionality results. Again A; R can be replaced by its refinement as shown 
above. 

End of example 

Using recursion we may define even infinite nets. The theorem above shows that a 



*The predicate transformer r is obtained by the unfold rule for feedback 
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refinement of an infinite net that is described by a recursive equation is obtained by 
refinement of the components of the net. 

7 Predicate Transformers as Refinements 

So far we have considered the refinement of components by refining on one hand their 
tuples of input and on the other hand their tuples of output streams. A more general 
notion of refinement is obtained by considering predicate transformers themselves as 
refinements. 

Definition 9 (Refining context) A predicate transformer 

n : SPEC1 SPEC{ 
is called a refining context, if there exists a mapping 

A : SPEC\ SPEC1 
called abstracting context such that for all predicates X we have: 

A.TZ.X X 

Refining contexts can be used to define a quite general notion of refinement. 

Definition 10 (Refinement by refining contexts) Let TZbe a refining context with ab- 
stracting context A. A specification Q is then called a refinement for the abstracting 
context A of the specification Q, if: 

A.Q^ Q 

Note, TZ.Qis a refinement of the specification Qfor the abstracting context A. 

Refining contexts may be defined by the compositional forms introduced in the previous 
sections. 

Example 9 Refining Contexts 

For component specifications Y with one input channel and two output channels we 
define a predicate transformer 

A : SPECl SPEC\ 

by the equation: 

Ay = M(P||t);l');(tl|/) 
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Figure 7: Graphical representation of A.Y 



where the component P specifies functions 

p: D'^x {?, Vr 

A graphical representation of A.Y is given in Figure 7. Let P be specified by: 

P.p = Vx e £)'", y e {?, Vl" : p(w"x, = m^p{m^x, y) 

For a component specification X with one input channel and one output channel we 
define a predicate transformer: 

7^ : SPECl SPECl 

where 

where the component 2 specifies functions 

q -.D'^^ {?, Vr X 

Let 2 be specified by: 

2.^ = Vx e : 3A; e W : Vj e W : J < A: =^ 

^(«') =[?'+',()] 
A ^((m*+i)'^x) =[(?*+! )'^V,m]'^g.x 

Let m* stand for the finite stream of length k containing just copies of the message m. 
To show that A and Tl define a refining context we show that: 

A.n.x - X 

which is equivalent to showing that for all specifications X: 

M(P|lt); Q; (t||/) = x 
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This is equivalent to: 

M((P|lt); 0; (tl|/) = / 

which is equivalent to the fonnula: 

Vp, q,x : P.p AQ.q^x^ iAUm P\ q); (tl|/)).x 

which can be shown by a proof based on the specifications of P and Q. Let / stand 
for (/2||t) and \ stand for the function (tl|/i). For functions p and q with P.p and 
Q.q there exists k & IN such that V? e IN with j < k: 

\ ./j'x.A z : q.p. / (m^x, (?)^y, z) = 
\ .fix.X y, z : q{{,m')'^ p{m'^x, y)) — 
\ .fix.k y, z : [?'+', {)Y'q.p{m'~x, y) = 
\ .fix.X y, z : q.p. / {m'^x, (?'+^)'")', z) 

This can be shown by a straightforward proof of induction on i. By this we obtain for 
i=k+\: 

\ .fix.X y, z : q.p. / {m'~ x, y, z) = 

\ .fix.X y, z : q.p. / (m^x, (?*+^)'">', z) 



Furthermore: 



\ .fix.X y, z : q.p. / (m'^x, z) = 

.fix.X y, z : qii.m'^^^)'^ p{m'^x, >')) = 
.fix.X y, z : [{7'^'^^)''^^ , m]'~^q.pim'~ x, y) 
. fix./ y, z : q.pim^x, = 
.fix.X y, z : [(?'^+')"^, m]^q.p{m'"x, y) = 
m'~^ \ .fix.X y, z : q.p(m'~ x, y) = 
\ .fix.X y, z '■ q.p. / (mTx, y, z) 



\ 
\ 
\ 



We obtain 

p; q); \)(m^x) = 
\ .fix.X y, z : q-P- / {mTx, y, z) — 
\ .fix.X y, z : q.p. )/ (mTx, y, z) 

By induction on the length on x and the continuity of the involved functions the 
proposition above is proved. 

End of example 



Context refinement is indeed a generalization of interaction refinement. Given two 
pairs of definite representation and abstraction specifications R, A and /?, A by 

A.Y = 7?; 7; A 

'R.X = A\X\'R 
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Figure 8: Graphical representation of the master/slave system 
a refining context and an abstracting context is defined, since 

A.n.x - 

A.{A- X- R) = 
R; (A; X; R); A ^ 
X 

Refining contexts lead to a more general notion of refinement than interaction re- 
finement. There are specifications Q and Q such that there do not exist consistent 
specifications R and A where 

R;Q;A^Q 
but there may exist refining contexts IZ and A such that 

A.Q^ Q 

Refining contexts may support the usage of sophisticated feedback loops between 
the refined system and the refining context. This way a dependency between the 
representation of the input history and the output history can be achieved. 

A very general form of a refining context is obtained by a special operator for forming 
networks called master/slave systems. For notational convenience we introduce a 
special notation for master/slave systems. A graphical representation of master/slave 
systems is given in Figure 8. A master/slave system is denoted by Q IH~\ . It consists of 
two components Qand H csiledthe master Q e S P EC'^'^'^ mdthe slave H e SPEC^. 
Then QIH~\ e SP ECj^. All the input of the slave is comes via the master and all the 
output of the slave goes to the master. The master/slave system is defined as follows: 

, km 

QlH] =n{iQ\\fy,{h\\Hy, xy,{r\\h) 

or in a more readable notation: 



(QlH1).f=3q,h:Q.qAH.hAf=qW 
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where Vx, y, z\ 

{qlh\).x = z where (z, y) = fix.k z, y : q{x, h.y) 

We can define a refining context and an abstracting context based on the master/slave 
system concept: we look for predicate transformers 

n : SPECl SPEC[ 

with abstracting context 

A : SPEC[ SPECl 

and for specifications V e SPECi^'^ and W e SPEC^^] where the refining context 
and the abstracting context are specified as follows: 

TZ.X = VIX] 

A.Y = WIY] 
and the following requirement is fulfilled: 

We give an analysis of this requirement based on a further form of composition called 

a coopemtor. The cooperator is denoted by where m,n e IN. For specifications 
Q e SPEC^^i^, ~Q e SPEC^+\ the cooperator is defined as follows: 

(2 f 0 e SPEC"+^- 

k k 

(Q V Q)-f ^^q,q- Q-q ^ Q-q /\ f ^ (q Tq) 

where 

k 

iq T q)-ix, x) - iz, z) where (z, y, y, z) = fix.X z, y,y,z: {q{x, y), q(j, x)) 

A graphical presentation of the cooperator is given in Figure 9. 

A straightforward rewriting shows that the cooperator is indeed a generalization of the 
master/slave. For H e SPECj^: 

In particular we obtain: 

wivixii = wf(vtx) = (wf y)Lxi 
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Figure 9: Graphical representation of the cooperator 
and therefore the condition: 
reads as follows: 

The following theorem gives an analysis for the component W V. 
Theorem 10 The implication 

{wtv)lx^ ^x 

implies 

\ n m 

Y y) =x 

n m 

Recall, X just swaps its input streams. 

Proof: By the definition of cooperation we may conclude that for every function f 
and every function v such that W.i; and V.v and for every / where X.f there exists a 
function / where X. f such that: 

3z : (z, z) = V /-z) <^z = f.x 

Since this formula is true for all specifications X and therefore also for definite specifi- 
cations, the formula holds for all functions / where in addition / = /. We obtain for 
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the constant function / with z — f.x for all x and for all z: 



3z : (z, z) = (? V z) ^ z = 2 



The equation above therefore simplifies to 



3z : (/.z, z) = V /-z) <^ U = A 



Now we prove that from this formula we can conclude: 



We do the proof by contradiction. Assume there exists x such that: 



(A,z) = (?f v)(x,/.z) 



and X ^ z. Then we can choose a function / such that f.x ^ f.z. This concludes the 
proof of the theorem. 



By the concept of refining contexts we then may consider the refined system 



The refinement of this refined network can then be continued by refining V [^H'\ and 
leaving its environment 2L^L---11 it is. 

There is a remarkable relationship between master/slave systems and the system struc- 
tures studied in rely/guarantee specification techniques as advocated among others in 
[Abadi, Lamport 90]. The master can be seen as the environment and the slave as the 
system. This indicates that the master/slave situation models a very general form of 
composition. Every net with a subnet H can be understood as a master/slave system 
QyH~\ where Q denotes the surrounding net, the environment, of H. This form of 
networks is generalized by the cooperator as a composing form, where in contrast to 
master/slave systems the situation is fully synometric. 



The cooperating components Q and Q Q Q can be seen as their mutual en- 
vironments. The concept of cooperation is the most general notion of a composing 
form for components. All composing forms considered so far are just special cases of 
cooperation; for Q e SPEC^, P e SPEC[ we obtain: 



□ 



QvwvvvH^^^ 



Q;P = QY P 



\fm = i 



0 



Q\\P = QtP 



nQ = iQ; T) 1 1 



\fn>m 
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Let a net be given with the set F of components. Every partition of F into two 
disjoint sets of components leads to a partition of the net into two disjoint subnets say 

E 

Q and Q such that the net is equal to g Q where k denotes the number of channels 
in N leading from Qto Q and k denotes the number of channels leading from Q to Q. 
Then both subnets can be further refined independently. 

8 Conclusion 

The notion of compositional refinement depends on the operators, the composing forms, 
considered for composing a system. Compositionality is not a goal per se. It is helpful 
for performing global refinements by local refinements. Refining contexts, master slave 
systems and the cooperator are of additional help for structuring and restructuring a 
system for allowing local refinements. 

The previous sections have demonstrated that using functional techniques a composi- 
tional notion of interaction refinement is achieved. The refinement of the components 
of a large net can be mechanically transformed into a refinement of the entire net. 

Throughout this paper only notions of refinement have been treated that can be ex- 
pressed by continuous representation and abstraction functions. This is very much 
along the lines of [CIP 84J and [Broy et al. 86] where it is considered as an important 
methodological simplification, if the abstraction and representation functions can be 
used at the level of specified functions. There are interesting examples of refinement, 
however, where the representation functions are not monotonic (see the representation 
functions obtained by the introduction of time in [Broy 90]). A compositional treatment 
of the refinement of feedback loops in these cases remains as an open problem. 
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A Appendix: Full Abstraction 

Looking at functional specifications one may realize that sometimes they specify more 
properties than one might be interested in and that one may observe under the considered 
compositional forms. Basically we are interested in two observations for a given 
specification Q for a function / with Q.f and input streams x. The first one is 
straightforward: we are interested in the output streams y where 

y = f-x 

But, in addition, for controlling the behavior of components especially within feedback 
loops we are interested in causality. Given just a finite prefix, x of the considered 
input streams x, causahty of input with respect to output determines how much output 
(which by monotonicity of / is a prefix of y) is guaranteed by /. 

More technically, we may represent the behavior of a system component by all ob- 
servations about the system represented by pairs of chains of input and corresponding 
output streams. 

A set {Xi e (M®)" : i € IN] is called a chain, if for all i G IN we have Xi ^ ^j+i. 
Given a specification Q e SPEC^, a pair of chains 

{{xi e (M")" : i e N], {yt e (M")" : i e N}) 

is called an observation about Q, if there exists a function / with Q.f such that for all 
i e N: 

yt E f-Xi 

and 

u{yi : J e W} = u{/.x,- -.i&lN} 

The behavior of a system component specified by Q then can be represented by all 
observations about Q. Unfortunately, there exist functional specifications which show 
the same set of observations, but, nevertheless, characterize different sets of functions. 
For an example we refer to [Broy 90]. 

Fortunately such functional specifications can be mapped easily onto functional speci- 
fications where the set of specified functions is exactly the one characterized by its set 
of observations. For this reason we introduce a predicate transformer 

A : SPECl ^ 5P£C« 

that maps a specification on its abstract counterpart. This predicate transformer basically 
constructs for a given predicate Q a predicate A. 2 that is fulfilled exactly for those 
continuous functions that can be obtained by a combination of the graphs of functions 
from the set of functions specified by Q. We define 

(A.0./ = Vx : 3/ : Q.f A f / a f.x = f.x 
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where 

By this definition we obtain immediately the monotonicity and the closure property of 
the predicate transformer A. 

Theorem 11 (Closure property of the predicate transformer A) 

(Q ^ Q) ^ (A.Q ^ A.Q) 

Q^AQ 
A.Q = A.A.Q 

Proof: Straightforward, since (Q./ occurs positively in the definition of A.Q, f f 
and 

:3/: (A.0./A/C, / a f.x = f.x ^ {A.Q). f 



A specification Q is called /m/Zj abstract, if 

e = A.e 

We may redefine our compositional forms such that the operators deliver always fully 
abstract specifications: 

Q~P ^ A{Q; P) 
Q\\P^A{Q\\P) 

M e ^ A(M Q) 

All the results obtained so far carry over to the abstract view by the monotonicity of A, 
and by the fact that we have 

A(2; P) = A{A.Q; A.P) 
A{Q\\P) ^ A{A.Q\\A.P) 
AinQ) ^ A{n A.Q) 

Furthermore, given an upward closed predicate transformer t we have: if Q is the least 
solution of 

Q = r[Q\ 

then 2 = A . 2 is the least solution of 

Q = A.xm 

The proof is straightforward. Note, by this concept of abstraction we may obtain 

I^A,R 
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in cases where I ^ A; R does not hold. This allows additional simplifications of 
network refinements. 

Note, full abstraction is a relative notion. It is determined by the basic concept of 
observability and the composing forms. In the presence of refinement it is unclear 
whether full abstraction as defined above is appropriate. We have: 

However, if a component Q is used twice in a network r[Q], then we do not have, in 
general, that for (determined) refinements Q of A.Q there exist (determined) refine- 
ments 2 of Q such that: 

iT[Q] =^ T[Q]) 

Therefore, when using more sophisticated forms of refinement our notion of full ab- 
straction might not always be adequate. 
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